Verizon’s “supercookies” violated net neutrality transparency rule

Verizon agrees to £1 million fine and will make it easier to avoid tracking cookies.

Verizon Wireless has agreed to pay a $1.35 million fine and give users more control over "supercookies" that identify customers in order to deliver targeted ads from Verizon and other companies. Verizon's use of the supercookies without properly notifying users violated a net neutrality rule that requires Internet providers to disclose accurate information about network management practices to consumers, the FCC said.

Verizon's settlement with the Federal Communications Commission, announced today, stems from an investigation into the carrier's "practice of inserting unique identifier headers [UIDH] or so-called 'supercookies' into its customers’ mobile Internet traffic without their knowledge or consent," the FCC said. Verizon began inserting the identifier—which could not be deleted by consumers—into its subscribers' HTTP Internet traffic in December 2012 and made some limited disclosures in its privacy policy. But the company "did not specifically disclose the presence of UIDH and its uses until October 2014," the FCC said.

Further Reading

ProPublica reported in January 2015 that an online advertising clearinghouse called Turn was taking advantage of the unique identifiers, also known as "zombie cookies," and using them "to respawn tracking cookies that users have deleted." Shortly after that, Verizon said it would offer customers a way to opt out.

Verizon's failure to disclose "accurate and adequate" information to consumers about the supercookies violated transparency requirements from the FCC's 2010 net neutrality rules, the FCC said. Those were the same rules that Verizon sued to overturn. While a federal appeals court mostly sided with Verizon, the ruling upheld the transparency rule that Verizon violated with its supercookies. (This is separate from the FCC's latest net neutrality rules, which are also being challenged in court by broadband industry groups.)

The FCC also said that Verizon's actions violated customer data privacy requirements in Section 222 of the Communications Act.

Verizon has to implement a three-year compliance plan. "Verizon Wireless is notifying consumers about its targeted advertising programs, will obtain customers’ opt-in consent before sharing UIDH with third parties, and will obtain customers’ opt-in or opt-out consent before sharing UIDH internally within the Verizon corporate family," the FCC said.

In a statement to Ars, Verizon said, "Over the past year, we have made several changes to our advertising programs that have provided consumers with even more options. Today’s settlement with the FCC recognizes that. We will continue to give customers the information they need to decide what programs and services are right for them.”

This is the second time the FCC has taken action against a company for violating the transparency rule. The first was a $100 million proposed fine against AT&T for throttling the wireless Internet connections of customers with unlimited data plans without adequately notifying the customers about the reduced speeds. AT&T is contesting the decision.